Operational Risk

KPMG
g
Business Dialogue
KPMG Luxembourg, 23rd May 2012
Operational
p
Risk
Sven Muehlenbrock, Head of Financial Risk Management
Francesca Messini, FRM, Financial Risk Management
Bertrand Segui, Actuary, Financial Risk Management
Agenda
Introduction
Well known cases
Regulatory Framework
Operational Risk Management Process
The benefit to implement an operational risk management framework
Hints on implementing an operational risk management and
measurement system
What is next?
KPMG Solution
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational risk in bank, funds and insurance company

What did we learn?
Barings case
The trader Nick Leeson led to a loss
of USD 1.4 bio at his employer
Barings Plc Bank, that declader
bankruptcy, taking a position in
derivates.
1994
SocGen case
The trader Jerome Kerviel led to a
loss of EUR 4.9 bio at his employer
SocGen, taking a massive
unidirectional position in European
equity index futures in 2007 and
2008
2008
Unsuitable investments
JP Morgan, UBS, Depfa Bank and
Deutsche Bank paid approximately
USD 602.4 mio to municipalities of
Milan, Italy, for selling complex
derivatives inappropriate for
inexperienced investors
2012
Clients, products
and business
practices events
continue to make up
the majority of the
top five losses each
month.
Source: SAS Software
reserved.
Operational risk is defined as the risk of loss resulting from inadequate or failed
internal processes, people and systems or from external events.
This definition includes legal risk, but excludes strategic and reputational risk
Cause
Internal
(process, people
and systems)
External
Risk Event (what goes wrong)

Fraud
Human error in processing transactions
Missing a control step
Disruption or system failures (hardware, software,
telecommunications)
Act of sabotage or vandalism from an employee
Not compliance with law and regulatory requirements
Di
Dispute
t with
ith employee
l
d
due tto di
discrimination
i i ti or h
harassmentt
New service and/or change in the current processes
Fraud
Act of terrorism and sabotage
reserved.
Impact
Customers claim
Near misses
Forgone Revenue
Repurchase of stuff
Fine from authority
Agenda
Introduction
Well known cases
The benefit to implement an operational risk management
measurement system
What is next?
KPMG Solution
reserved.

Regulatory framework
Bank
ManCo and Funds
Insurance companies
Basel II / III
CSSF Circular 07/290
Solvency II
Level 2 implementation
measures, CP 52, final advice
AIFMD (RTS)
Three-pillar approach
Pillar 1
Quantitative capital
requirements
Pillar 2
Qualitative supervisory
review
Pillar 3
Market discipline
Own Funds
ICAAP
Transparency
Market Risk
p
y Review
Supervisory
Process (SRP)
Disclosure requirements
q
Credit Risk
Operational Risk
Own risk and solvency

assessment (ORSA)
...
reserved.
Solvency and financial

condition report (SFCR)

Regulatory framework for Banks
Advanced Measurement Approach
Basel II, Pillar I: Capital Requirement

Three approaches: the increase of sophistication
is related to the fact that the AMA can be tailormade to the specific bank
Standard Approach*
SA
Regulatory Capital = GI *BL
Regulatory Capital = Internal statistical

model - capital charge is equal to the
unexpected losses (UL) with 1 year of
horizon time and 99.9% of confidence level;
effect of insurance up to 20% can be taken
i t accountt
into
develop a risk management framework:

methods to identify, assess, monitor and
control;
Collect internal loss data;
use external losses;
perform scenario analysis and review

business environment and internal
control factors;
validate the model results.
(between 12% and %)
Basic Indicator Approach
board of directors and senior management actively involved;
clear role and responsibilities assigned;
Regulatory Capital =
systematic collection of operational risk data, integrated into the processes;
Average of last 3 years GI *

*
regular
l reporting
ti and
d good
d documentation;
d
t ti
subject to regular review by external auditors and/or supervisors.
BIA
reserved.
sophisticattion
AMA
* ASA alternative SA 2 BLs based on ptf volume instead of GI

Regulatory framework for AIFM
AIFMs shall
implement
adequate risk
management
systems in
order to
identify
identify,
measure and
monitor
appropriately
all risks
relevant to
each AIF
investment
strategy and
to which each
AIF is or may
be exposed
(Directive 2011/61/EU
art 15)
Operational Risk
AIF
AIFM
A failure in operation can impact
Potential liability from professional
the return of AIF
negligence in performing the
Examples:
Failures in trading,
settlement and valuation
services
Internal or external fraud
Failure in the reconciliation

processes performed by
fund administration
Etc.
reserved.
activities of AIFM
Implementation of operational risk

management framework
Additional Own Funds
Hold a professional indemnity insurance

Regulatory framework for AIFM
QUAL
QUANT
Professional
Indemnity
Insurance (PII)
Additional Own
Funds
0.01% * AuM
Can be lowered to 0.008% provided AIFM can demonstrate that liability risk is
adequately captured, based on historical loss data and minimum historical
observation of 3 years
Implement an effective internal operational risk management policies and
procedures
It shall be performed by an independent function
Record and make use of historical internal loss data, external data, scenario
analysis and factors reflecting internal controls
reserved.

Regulatory framework for Insurance companies
Under Solvency II, there are two ways to calculate the exposure to operational risk
Standard Formula
Internal / Semi internal

model
Advantage:
- Simple to implement and fast calculation
- Doesnt require to create sophisticated models
- Already approved by the regulator
Inconvenients:
- The formula is deterministic and doesnt fit to every business
- The calibration has been done on the whole insurance market and may be totally inappropriate for
specific
ifi iinsurance off reinsurance
i
companies
i lleading
di to potential
i l overestimation
i
i off the
h capital
i l charge
h
- The formula remains static and doesnt integrate any update of the companys historical losses
reserved.

Solvency I balance sheet / The lack of risk management
Excess of
capital
Solvency
Margin
Required
((SMR))
ASSETS
In book value
Capital
In non-life:
SMR Max (18 %. P 50 M 16 %. P 50 M ; 26 %. P 35 M 23 %. P 35 M )
Technical
Provisions
In life:
SMR 4 %. P 2 %. Riskycapit al
NO RISK MANAGEMENT
The operational risk had NO impact on the
solvency margin
reserved.

The standard formula approach
Market
Health
Default
reserved.
Life
Non-life
Intangible
12

BSCR
Market
Health
Default
reserved.
Life
Non-life
Intangible
13

SCR
Adj
Market
Health
BSCR
Default
reserved.
Operational
Life
Non-life
Intangible
14

SCR
Adj
Market
Health
BSCR
Default
Operational
Life
Non-life
Intangible
In the context of the standard formula, the operational risk is a function of the BSCR:
Operational Risk = Min ( 30% x BSCR ; Op ) + 25% Exp UL
Where:
- Op is a charge for all business other than Unit Linked products (simple formula expressed as
a % of premium and a % of the technical provisions)
- Exp UL represents the expenses incurred the last 12 months in respect with UL products
reserved.
Agenda
Introduction
Well known cases
measurement system
What is next?
KPMG Solution
reserved.

Implement an advanced operational risk management approach

is much more that capital relief!!
It is not just fulfil some regulatory capital obligations!!!
Go deeper to the end of the things, understanding the root cause

Make operational risk very concrete and keep it alive
Employees start using it for their day-to-day risk management,
embedded in the business
reserved.

Pay attention to the invisible part of the iceberg
In some cases, operational risk is

the cause of the exposure to other
risks
i k type.
t
Silo mentality results in lack of
understanding of operational risk as
di
driver
ffor other
th risk
i k ttypes.
Model
ode
risk
Credit
Risk
Liquidity
Liq
idit
risk
Operational
Risk
Some of the well-known
ell kno n e
examples
amples are
the market-related operational risk
events which are often associated with
rouge trading, unauthorized, leverage
operations or complex instruments
and new products.
reserved.
Market
risk
Business
Risk
The Benefit for the institution to implement an operational risk management

Sound evaluation of all the processes
It is integrated and
interfere with the
b i
business
off the
th
institution.
Operational
O
ti
l Ri
Risk
k
Management function has
a global picture of the risk
profile of the entire
instit tion
institution.
Internal
Audit
Private
Banking &
Asset
management
Back Office
Operational
Risk
Function
Legal
Accounting
Complian-ce
HR, IT,
Facility
reserved.
Front Office

Implement an operational risk management framework
To create value for the management of operational risk, the actual risk exposure must
be aligned with the overall risk appetite of the institution
Risk Policy &

Strategy
Risk
M
Management
t
& Monitoring
Risk
Reporting
Risk
Identification
Risk
Assessment
Culture and Awareness

reserved.
Operational Risk Policy, S

Strategy &
Procedures
P
Governan
nce and Orga
anization
Operational Risk
Management Framework

Have a sound view: past + future thinking the unthinkable
Operational Risk management process is based on the relationship among various
instruments
Operational Risk Management

R
Reporting
ti
Measurement and Modeling of Capital charge
External Loss Data

Internal Loss Data
BACKward-looking
Business
Environment (KRI)
Control Factors
PRESENT-looking
Process Risk Mapping

reserved.
Scenario Analysis
FORward-looking

Identification
Ri k Policy
Risk
P li &
Strategy
Risk
M
Management
t
& Monitoring
Risk
Reporting
Risk
Identification
Risk
Assessment
The detection of any event which potentially triggers a

material
t i lb
business
i
iimpact,
t or which
hi h represents
t a
modification of the risk profile, must be done as early as
possible (timely) and could be initiated by:
Claims from customers or incidents
Key Risk Indicators breaches
External Losses
Change of business
New regulatory requirement
Internal / External Audit finding
New product / project
Scenario Analysis
Etc...
All risks as well as root causes of losses are identified and mapped
pp to the banks risk classification ((Basel II
Event Type) and the potential impact estimated (how, where, how much)
reserved.

Identification
Identify an operational risks means at the same time identify its root cause
Internal Fraud
Losses due to acts of a type intended to defraud, misappropriate property or

circumvent regulations, the law or company policy, excluding diversity/
discrimination events, which involves at least one internal party
External Fraud
Losses due to acts of a type intended to defraud, misappropriate property

or circumvent the law, by a third party (theft, hacking damage, etc.)
Employment Practices
and Workplace Safety
Losses arising from acts inconsistent with employment

employment, health or safety laws
or agreements, from payment of personal injury claims,
or from diversity / discrimination events diversity
Clients, Products and

Business Practices
Losses arising from an unintentional or negligent failure to meet a professional

obligation to specific clients (including fiduciary and suitability
requirements), or from the nature or design of a product.
Damage to Physical Assets
Losses arising from loss or damage to physical assets from natural disaster or
other events (terrorism, vandalism).
Business Disruption and

System Failures
Losses arising from disruption of business or system failures (hardware,

software, telecommunications)
Execution,, Delivery
y and
Process Management
Losses from failed transaction processing or process management, from

relations with trade counterparties and vendors (miscommunication
(miscommunication, wrong data
entry/ handling, delivery failures, negligent loss of clients assets, etc.)
reserved.

Identification
The instruments usually used in order to identify ex ante, and then monitor and
calculate the exposure to operational risk are:
External Loss Data
Business
Environment (KRI)
Internal Loss Data
Control Factors
BACKward-looking
PRESENT-looking
Scenario Analysis
FORward-looking
In the regulation these instruments are identified as the key building blocks of risk
measurements, BUT it does not elaborate on how to put them together.
I tit ti
Institutions
have
h
the
th tasks
t k off finding
fi di
the
th mostt appropriate
i t way!!
reserved.

Assessment
Ri k Policy
Risk
P li &
Strategy
Risk
M
Management
t
& Monitoring
Risk
Reporting
Risk
Identification
The Operational
p
Risk Function assesses the
risk exposure both in qualitative and
quantitative term.
The assessment of an incident or a potential
risk aims at quantifying the risk in financial
terms using
i either
i h simple
i l or sophisticated
hi i
d
methodologies like simulation using Monte
Carlo approach.
Risk
Assessment
Think the unthinkable! Integrate the backward-looking view with the forward-looking
reserved.
Operational Risk
Assessment with LDA Model Overview
The most popular method in the industry to satisfy the highest standards is the loss
distribution approach (LDA)
INPUT
OUTPUT
Adjustments: KRI,
mitigation factors
(i e insurance
(i.e.
insurance, ect)
Frequency Distribution
External losses
Loss Distribution
Body Tail
Internal losses
Severity Distribution
Monte
Carlo
Simulation
Body
Expected
Loss
Scenario data
T il
Tail
reserved.
99.5 /99.9%
Quantile
Example of internal module simulation

We consider an insurance company with following characteristics:
50 years old
Historical loss data well documented:
* 3 fraud events
* 5 lawsuit actions
* 2 vandalism
* 7 damages to physical assets
Losses in the range 100 000 - 1 000 000

Losses in the range 50 000 - 200 000
Step 1: Inputs
Convert those events into scenarios:
Scenario 1
Scenario 2
Scenario 3
Scenario 4
Range of loss severity

(
(EUR)
)
100 000 1 000 000
50 000 200 000
10 000 150 000
40 000 800 000
Frequency
(
(years)
)
3/50
5/50 = 1/10
2/50 = 1/25
7/50
As the number of losses may remain an insufficient basis, one more scenario deemed relevant can
be added:
*T
Terrorism
i
attack
tt k
Scenario 5
500 000 10 000 000
reserved.
1/200
Example of internal module simulation
Step 2:
We translate the severity information into a scale distribution of severity and we fit the best
parametric distribution
Frequencies
1
Losses (Severity)
Step 3
W suppose than
We
th severity
it and
d frequency
f
are two
t
independent
i d
d t random
d
variables
i bl and
d we simulate
i l t
them independently
Excel sheet
reserved.

Reporting
Enhance senior management awareness of
operational risk: it is put on the agenda
Risk Policy &
Strategy
Risk
Management
& Monitoring
Risk
Reporting
Risk
Identification
The BoD and Senior Management are timely and

soundly informed about material risks and change of
the actual risk profile of the bank, covering causes,
potential early mitigation measures, assessment and
recommendation,
d ti
in
i order
d to
t take
t k the
th appropriate
i t
action.
BoD Senior
Management
Risk
Assessment
Operational
O
i
l Ri
Risk
kM
Management
Function
Unit A
reserved.
Unit B
Unit C

Reporting
Benefit of having in place a timely reporting and escalation process:
Internal view
Enhance awareness of risk
More informed decisions making
Clearlyy defined procedures

p
for
action and remedial steps in the
event of material breaches
External view
Increase reputation versus

competitors
Reduce exposure to reputational
risk through timely management of
operational incidents
Improve communication and
disclosure to external stakeholders
like:
Supervisors
Auditors
Rating agencies
Clients
Shareholders
reserved.

Management and Monitoring
Risk Policy &
Strategy
The Operational Risk Management

function should support the BoD in
taking the most appropriate mitigation
action based on the reported information
Risk
Management
& Monitoring
High Severity / Low Frequency events

Insurance policies & Self Insurance
Derivatives hedging (cat options and cat bonds)
Risk
Reporting
Risk
Identification
Risk
Assessment
H
AVOID
severityy
TRANSFER
ACCEPT
MITIGATE
L
frequency
Limitation or stop of
product / project
Change investment type
High Frequency / Low Severity events
Enhancement of internal controls
Business Continuity Planning (systems, supplier,
staff and workspace)
reserved.
Hints
on implementing a operational risk management and measurement system
Data integrity:
use of external loss data
data, which require a mapping or scaling to the firms own data
poor-quality of internal loss data creeping into model assumptions
Perform scenario analysis using a bottom
bottom-up
up approach
Increase the operational risk culture in the firm
Do not ignore tools like Key Risk Indicators (KRIs) for monitoring operational risk
Standard IT tool to centrally collect all data (for instance internal losses, breaches, external losses,
findings, etc.) and related information (mitigation actions taken, procedures)
Advanced approaches: stress testing & sensitivity analysis in the scope of model validation
reserved.
What is next?
Top 10 operational risk concern for 2012 and beyond

Fraud and insider risk
Disaster recovery and business continuity
Miss-selling
Regulatory
g
y compliance
p
Online security
Model risk
Sanctions and money laundering
Ongoing updates: for bank AMA model change Policy (EBA GL 45; CSSF Circular 12/535)
Looking for more sensible approaches
under discussion the alfa and beta indicators used in the BIA and SA for banks
replace the Gross Income as indicator
reserved.
KPMG Solutions
Impact study
(cost-benefit analysis)
Assistance in enhancing the

risk management framework
KPMG
Assistance in the
implementation of advance
models and in obtaining
regulatory approval
reserved.
Assistance in operational
risk modeling

Operational Risk

Uploaded by

Copyright:

Available Formats

You might also like

Operational Risk

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Operational Risk

Uploaded by

Copyright:

Available Formats

KPMG

Operational risk in bank, funds and insurance company

Operational risk in bank, funds and insurance company

Risk Event (what goes wrong)

Operational risk in bank, funds and insurance company

ManCo and Funds

CSSF Circular 07/290

CSSF Circular 06/273

CSSF Circular 11/512

Own risk and solvency

Solvency and financial

Operational risk in bank, funds and insurance company

Basel II, Pillar I: Capital Requirement

Regulatory Capital = Internal statistical

develop a risk management framework:

Collect internal loss data;

use external losses;

perform scenario analysis and review

validate the model results.

(between 12% and %)

Basic Indicator Approach

board of directors and senior management actively involved;

clear role and responsibilities assigned;

systematic collection of operational risk data, integrated into the processes;

Average of last 3 years GI *

subject to regular review by external auditors and/or supervisors.

* ASA alternative SA 2 BLs based on ptf volume instead of GI

Operational risk in bank, funds and insurance company

A failure in operation can impact

Potential liability from professional

the return of AIF

negligence in performing the

Internal or external fraud

Failure in the reconciliation

Implementation of operational risk

Additional Own Funds

Hold a professional indemnity insurance

Operational risk in bank, funds and insurance company

Operational risk in bank, funds and insurance company

Internal / Semi internal

Regulatory framework for Insurance companies

SMR Max (18 %. P 50 M 16 %. P 50 M ; 26 %. P 35 M 23 %. P 35 M )

Regulatory framework for Insurance companies

Regulatory framework for Insurance companies

Regulatory framework for Insurance companies

Regulatory framework for Insurance companies

Operational risk in bank, funds and insurance company

Implement an advanced operational risk management approach

Go deeper to the end of the things, understanding the root cause

Operational risk in bank, funds and insurance company

In some cases, operational risk is

The Benefit for the institution to implement an operational risk management

The Benefit for the institution to implement an operational risk management

Risk Policy &

Culture and Awareness

Operational Risk Policy, S

The Benefit for the institution to implement an operational risk management

Operational Risk Management

External Loss Data